Containers and Kubernetes container orchestration have revolutionized many aspects of developing, deploying, and scaling applications and infrastructure. Containerized architectures enable developers to focus on what they do best: developing applications. Containers and Kubernetes lessen the burden on developers by eliminating the task of incorporating details about the runtime environment. Containers and Kubernetes normalize and scale runtime issues.
Containerized solutions allow the developer to build once run anywhere. . The developer does not have to adapt applications to run on Azure, AWS, on-premises, or any combination of possible environments.
At the same time, the security challenges present in individual runtime environment solutions have not gone away. While containerized architectures remove many environmental details from developers’ responsibilities allowing freedom of choice of cloud platform, they can complicate security . by creating a broader attack surface.
When you use a cloud platform, you rely on their infrastructure being secure. However, you still need to address additional vulnerabilities from oversights in developing and deploying your containers and applications. You are still reponsible for what you put place and configure in the cloud. You must be aware of and address security concerns at each step of the container lifecycle.
We’ll focus on four container lifecycle security steps:
- Admission controller security
- Image layer scanning and registry scanning for existing containers
- CI/CD container image build pipeline scanning
- Runtime security
Addressing each of these areas helps guard your containers against attack.
Admission Controller Security An admission controller reviews requests to the Kubernetes API server. This takes place after a request has been authenticated and authorized but before an object is allowed to persist. The Kubernetes admission controller governs how the cluster is configured or used. Also, an admission controller can validate a container based deployment of an application. An example would be an deployment manifest file.
Admission controllers address questions such as:
- Is a pod requesting a “reasonable” number of resources?
- Are the images used to create microservice pods secure?
- Are deployment priorities being followed?
- Which privileges are granted to which deployments? Do they adhere to principles such as the least privilege to do the job?
You can configure the admissions controller to stop deployments from being exercised. Loosely set policies can cause vulnerabilities, Additionally, it allows you to detect vulnerabilities, and create and enforce policies to run only compliant containers.
Image Layer and Registry Scanning
Containerized solutions are easy to deploy to various environments and situations. But with a containerized solution, any vulnerability packaged inside the container image is exploitable across all running instances. . Scanning and detecting policy violations or malware within your existing containers should be a significant part of your security operations.
To safeguard against these issues, continuously scan all existing containers to ensure they conform to security policies. Frequent scans are especially important when patching and updating existing containers. Scanning existing images detects malware or sensitive data, such as API keys and passwords, within the image.
You may need to customize your scans based on the container’s use. Creating advanced security policies enables you to customize enforcement based on a system of names and tags associated with a given container.
Shift Left: Early-Stage Scanning
The key to creating a secure container environment is to start at the beginning, that is, shift left in your development pipeline. Whether you are looking at an continuous integration and continuous delivery (CI/CD) pipeline, the earlier you implement security practices, the easier it is to prevent vulnerabilities being packaged into containers.
When it comes to container image scanning regarding shifting left. If you can integrate into the CI/CD pipeline and perform the layer based scanning at build time of the container image, you can prevent vulnerablites, malware, secrets from being wrapped insided your container image. You can also prevent that image from being shipped to your container registry referenced above. This saves your organization time, money, and headaches. Since you can integrate with your source repository and CI/CD tooling you can trace accountability back to the developer that introducted said vulnerability. It is a lot easier to fix issues in the build pipeline prior to runt
Container Runtime Security
While creating an environment that prevents security risks from becoming a reality is paramount, monitoring containerized applications at runtime is still essential. Runtime protection involves monitoring every cluster for all containerized applications running in each node. Monitoring might involve:
- Detecting disallowed commands
- Detecting attempts to illegally access files
- Building runtime models and monitoring for deviations
- Tracking management tasks and policy adherence
- Reporting and analyzing Kubernetes deployments and actions
While containerization increases application deployment speed, it opens up a new range of security risks. End-to-end container lifecycle security is key to mitigating these risks.
Conclusion
Taking advantage of CI/CD, IaC, DevOps, and containerized deployments to various cloud environments opens your enterprise to new security risks. Some of these risks are mitigated by the cloud provider, while you must address others during the development cycle.
When deploying containers, focus on the admission controller, image layer scanning and registry scanning, shifting scanning left, and runtime security.
Tools like Trend Micro Cloud One Container Security enable you to incorporate and automate all these security capabilities into your system. Trend Micro helps secure your existing containers and Kubernetes infrastructure, enabling you to incorporate new container orchestration into your infrastructure. To start protecting your cloud infrastructure from attack, try Trend Micro Cloud One free for thirty days.